CVE-2025-64517 is a vulnerability in sudo-rs, a Rust-based memory-safe implementation of sudo and su, specifically affecting versions from 0.2.5 up to but not including 0.2.10. The vulnerability arises when sudo-rs is configured with 'Defaults targetpw' or 'Defaults rootpw', which are intended to require the password of the target account (or root) rather than the invoking user for authentication. Due to a logic flaw, sudo-rs incorrectly records the invoking user's UID in the authentication timestamp instead of the authenticated target user's UID. This timestamp is used to bypass repeated authentication prompts within a valid time window. Consequently, a user with high privileges who knows the password of one allowed target account can exploit the timestamp to run commands as any other account allowed by the sudo policy without knowing their passwords. This effectively negates the security benefit of the 'targetpw' or 'rootpw' options, allowing privilege escalation and unauthorized command execution. The flaw does not affect versions prior to 0.2.5, which lack these options, and was fixed in version 0.2.10. The vulnerability has a CVSS 3.1 score of 4.4, indicating medium severity, with local attack vector, low attack complexity, high privileges required, no user interaction, and impact limited to integrity. No known exploits are reported in the wild. The issue is classified under CWE-287 (Improper Authentication).

For European organizations, this vulnerability poses a risk of privilege escalation and unauthorized command execution on systems running affected versions of sudo-rs with 'targetpw' or 'rootpw' enabled. Attackers with high privileges and knowledge of one target account password can bypass intended authentication controls to execute commands as other privileged accounts, including root. This undermines the security model of sudo-rs and can lead to unauthorized access to sensitive data, system configuration changes, and potential lateral movement within networks. Organizations relying on sudo-rs for privilege delegation in critical infrastructure, government, finance, or healthcare sectors may face increased risk of insider threats or compromised administrative accounts. The local attack vector and requirement for high privileges limit remote exploitation but do not eliminate risk from malicious insiders or compromised accounts. The medium severity rating reflects the moderate impact and exploitation complexity, but the potential for significant integrity violations in sensitive environments remains.

1. Upgrade sudo-rs to version 0.2.10 or later, where the vulnerability is patched. 2. Audit all systems using sudo-rs to identify affected versions and configurations with 'Defaults targetpw' or 'Defaults rootpw'. 3. Temporarily disable 'targetpw' and 'rootpw' options if upgrading is not immediately feasible, understanding this may alter authentication behavior. 4. Implement strict access controls and monitoring on accounts with sudo privileges to detect unusual command execution patterns. 5. Employ multi-factor authentication for privileged accounts to reduce risk of password compromise. 6. Review and tighten sudo policies to limit the number of accounts a user can run commands as, minimizing the attack surface. 7. Conduct regular security training for administrators on the risks of privilege escalation and proper sudo configuration. 8. Use system integrity monitoring to detect unauthorized changes resulting from exploitation attempts. 9. Maintain up-to-date inventories of sudo-rs deployments and configurations to ensure timely vulnerability management.